Merge Commit are not signed since 15.11.2 (at least)
Summary
With a Omnibus CE installation and a /etc/gitlab/gitlab.rb
containing the configuration to let Gitaly signs commit issued from the Web UI, and since the version 15.11.2, the merge commits are not signed anymore.
Both classical edits and Web IDE are working and commits made from one of these are correctly signed but commits issued from the Merge button of a Merge Request are not signed.
This bug appeared after upgrading from 15.10.6 to 15.11.2.
Steps to reproduce
- Deploy a Omnibus CE installation, v15.11.2, with this configuration to the
gitlab.rb
config file:
gitaly['configuration'] = {
git: {
signing_key: '<PATH_TO_SIGNING_KEY>'
},
}
- Open a merge request
- Merge it
- Look up commits
- Merge commits not signed
Example Project
None
What is the current bug behavior?
Merge Commit are not signed even with the right configuration.
What is the expected correct behavior?
Signed Merge Commit with the right configuration.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 20.04 Current User: git Using RVM: no Ruby Version: 3.0.6p216 Gem Version: 3.2.33 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.11 Sidekiq Version:6.5.7 Go Version: unknown GitLab information Version: 15.11.2 Revision: f17ae0d7169 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.12 URL: https://gitlab.numberly.in HTTP Clone URL: https://gitlab.numberly.in/some-group/some-project.git SSH Clone URL: git@gitlab.numberly.in:some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: google_oauth2 GitLab Shell Version: 14.18.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.18.0 ? ... OK (14.18.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain not verifying SSL hostname of LDAPS server 'ad-par5.numberly.in:636' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 3/1 ... yes 3/4 ... yes 13/12 ... yes 3/13 ... yes 3/15 ... yes 26/16 ... yes 52/21 ... yes 52/24 ... yes 52/29 ... yes 52/31 ... yes 52/33 ... yes 52/34 ... yes 52/35 ... yes 52/37 ... yes 52/38 ... yes 71/39 ... yes 71/40 ... yes 71/41 ... yes 71/42 ... yes 78/43 ... yes 78/44 ... yes 78/45 ... yes 78/46 ... yes 78/48 ... yes 78/55 ... yes 78/56 ... yes 78/57 ... yes 78/58 ... yes 78/59 ... yes 78/60 ... yes 78/64 ... yes 78/65 ... yes 78/66 ... yes 78/68 ... yes 106/69 ... yes 118/70 ... yes 125/71 ... yes 125/72 ... yes 3/73 ... yes 5/74 ... yes 6/79 ... yes 13/81 ... yes 3/83 ... yes 148/86 ... yes 148/87 ... yes 148/88 ... yes 148/89 ... yes 148/90 ... yes 150/91 ... yes 150/92 ... yes 161/93 ... yes 163/94 ... yes 26/95 ... yes 166/96 ... yes 168/97 ... yes 170/98 ... yes 172/99 ... yes 174/100 ... yes 176/101 ... yes 178/102 ... yes 180/103 ... yes 182/104 ... yes 184/105 ... yes 186/106 ... yes 188/107 ... yes 190/108 ... yes 192/109 ... yes 194/110 ... yes 196/111 ... yes 198/112 ... yes 200/113 ... yes 202/114 ... yes 204/115 ... yes 206/116 ... yes 208/117 ... yes 210/118 ... yes 212/119 ... yes 214/120 ... yes 216/121 ... yes 219/122 ... yes 221/123 ... yes 224/124 ... yes 226/125 ... yes 228/126 ... yes 230/127 ... yes 232/128 ... yes 234/129 ... yes 236/130 ... yes 238/131 ... yes 240/132 ... yes 242/133 ... yes 244/134 ... yes 246/135 ... yes 248/136 ... yes 250/137 ... yes 252/138 ... yes 254/139 ... yes 256/140 ... yes 258/141 ... yes 260/142 ... yes 262/143 ... yes 264/144 ... yes 266/145 ... yes 269/146 ... yes 271/147 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (3.0.6) Git user has default SSH configuration? ... yes Active users: ... 44 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
I have no idea, I dug into gitaly code and didn't find why merges commits are not signed while others are. I tried to enable old and new way to configure the signing key, without success.